systemd: fix pcrlock failure on Hyper-V VMs with vTPM (#16309)

liulanze · web-flow · commit 1fa004a794e7 · 2026-04-22T09:45:12.000-07:00
diff --git a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec
@@ -20,7 +20,7 @@ Version:        255
 # determine the build information from local checkout
 Version:        %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
 %endif
-Release:        26%{?dist}
+Release:        27%{?dist}
 License:        LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -98,6 +98,9 @@ popd
 /boot/efi/EFI/BOOT/%{grubefiname}
 
 %changelog
+* Thu Mar 26 2026 Lanze Liu <lanzeliu@microsoft.com> - 255-27
+- Bump release to match systemd spec
+
 * Tue Mar 03 2026 Dan Streetman <ddstreet@ieee.org> - 255-26
 - Bump release to match systemd spec
 
diff --git a/SPECS/systemd/fix-pcrlock-hyperv-hash-algorithm-ordering.patch b/SPECS/systemd/fix-pcrlock-hyperv-hash-algorithm-ordering.patch
@@ -0,0 +1,58 @@
+From e90a255e55e3af0effac927ccaa10c2662501e1a Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 21 Feb 2024 14:43:42 +0100
+Subject: [PATCH] pcrlock: handle measurement logs where hash algs in header
+ are announced in different order than in records
+
+Apparently on HyperV the measurement logs announce the hash algs in a
+different order in the header than the records have them. Let's handle
+this gracefully
+---
+ src/pcrlock/pcrlock.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
+index e70c44c6..1fb9d692 100644
+--- a/src/pcrlock/pcrlock.c
++++ b/src/pcrlock/pcrlock.c
+@@ -936,23 +936,30 @@ static int event_log_load_firmware(EventLog *el) {
+                 assert(event->digests.count == n_algorithms);
+ 
+                 for (size_t i = 0; i < n_algorithms; i++, ha = ha_next) {
+-                        ha_next = (const uint8_t*) ha + offsetof(TPMT_HA, digest) + algorithms[i].digestSize;
+-
+                         /* The TPMT_HA is not aligned in the record, hence read the hashAlg field via an unaligned read */
+                         assert_cc(__builtin_types_compatible_p(uint16_t, typeof(TPMI_ALG_HASH)));
+                         uint16_t hash_alg = unaligned_read_ne16((const uint8_t*) ha + offsetof(TPMT_HA, hashAlg));
+ 
+-                        if (hash_alg != algorithms[i].algorithmId)
+-                                return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Hash algorithms in event log record don't match log.");
++                        /* On some systems (some HyperV?) the order of hash algorithms announced in the
++                         * header does not match the order in the records. Let's hence search for the right
++                         * mapping */
++                        size_t j;
++                        for (j = 0; j < n_algorithms; j++)
++                                if (hash_alg == algorithms[j].algorithmId)
++                                        break;
++                        if (j >= n_algorithms)
++                                return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Hash algorithms in event log record not among those advertised by log header.");
++
++                        ha_next = (const uint8_t*) ha + offsetof(TPMT_HA, digest) + algorithms[j].digestSize;
+ 
+-                        if (!tpm2_hash_alg_to_string(algorithms[i].algorithmId))
++                        if (!tpm2_hash_alg_to_string(hash_alg))
+                                 continue;
+ 
+                         r = event_log_record_add_bank(
+                                         record,
+-                                        algorithms[i].algorithmId,
++                                        hash_alg,
+                                         (const uint8_t*) ha + offsetof(TPMT_HA, digest),
+-                                        algorithms[i].digestSize,
++                                        algorithms[j].digestSize,
+                                         /* ret= */ NULL);
+                         if (r < 0)
+                                 return log_error_errno(r, "Failed to add bank to event log record: %m");
+-- 
+2.45.4
+
diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec
@@ -50,7 +50,7 @@ Version:        255
 # determine the build information from local checkout
 Version:        %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
 %endif
-Release:        26%{?dist}
+Release:        27%{?dist}
 
 # FIXME - hardcode to 'stable' for now as that's what we have in our blobstore
 %global stable 1
@@ -149,6 +149,7 @@ Patch0905:      ipc-call-0001-path-util-add-flavour-of-path_startswith-that-leav
 Patch0906:      ipc-call-0003-core-cgroup-avoid-one-unnecessary-strjoina.patch
 Patch0907:      ipc-call-0002-path-util-invert-PATH_STARTSWITH_ACCEPT_DOT_DOT-flag.patch
 Patch0908:      ipc-call-0004-core-validate-input-cgroup-path-more-prudently.patch
+Patch0909:      fix-pcrlock-hyperv-hash-algorithm-ordering.patch
 
 %ifarch %{ix86} x86_64 aarch64
 %global want_bootloader 1
@@ -1234,6 +1235,10 @@ rm -f %{name}.lang
 # %autochangelog. So we need to continue manually maintaining the
 # changelog here.
 %changelog
+* Thu Mar 26 2026 Lanze Liu <lanzeliu@microsoft.com> - 255-27
+- Fix pcrlock failure on Hyper-V/Azure VMs with vTPM by backporting upstream
+  commit e90a255 from systemd v256 (PR #31429).
+
 * Mon Mar 02 2026 Dan Streetman <ddstreet@ieee.org> - 255-26
 - Apply patches for ipc issue.
 
